blob: 34bae28ac6aa14e768223a77e6572cf5e7e55cf5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
/* { dg-skip-if "requires hosted libstdc++ for stdlib malloc" { ! hostedlib } } */
#include "analyzer-decls.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* malloc with tainted size from a syscall. */
void *p;
void __attribute__((tainted_args))
test_1 (size_t sz) /* { dg-message "\\(1\\) function 'test_1' marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */
{
/* TODO: should have a message saying why "sz" is tainted, e.g.
"treating 'sz' as attacker-controlled because 'test_1' is marked with '__attribute__((tainted_args))'" */
p = malloc (sz); /* { dg-warning "use of attacker-controlled value 'sz' as allocation size without upper-bounds checking" "warning" } */
/* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'sz' as allocation size without upper-bounds checking" "final event" { target *-*-* } .-1 } */
}
|
